CN114124404B - Data processing method, device, server and storage medium - Google Patents

Data processing method, device, server and storage medium Download PDF

Info

Publication number
CN114124404B
CN114124404B CN202111342923.1A CN202111342923A CN114124404B CN 114124404 B CN114124404 B CN 114124404B CN 202111342923 A CN202111342923 A CN 202111342923A CN 114124404 B CN114124404 B CN 114124404B
Authority
CN
China
Prior art keywords
key
identifier
terminal
data
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111342923.1A
Other languages
Chinese (zh)
Other versions
CN114124404A (en
Inventor
任梦璇
薛淼
刘千仞
任杰
王光全
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111342923.1A priority Critical patent/CN114124404B/en
Publication of CN114124404A publication Critical patent/CN114124404A/en
Application granted granted Critical
Publication of CN114124404B publication Critical patent/CN114124404B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a data processing method, a device, a server and a storage medium, relates to the technical field of communication, and solves the technical problem that a terminal in the prior art can not effectively generate a digital signature and/or store data acquired by the terminal; since generating a digital signature is a data processing procedure, the efficiency of data processing can be improved. The method comprises the following steps: acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group; acquiring a first private key and a preset hash algorithm based on the identification of the first key group; generating a target digital signature of the original data based on the original data, the preset hash algorithm and a first private key; and sending a target data set to first service equipment, wherein the target data set comprises the original data and the target digital signature, and the first service equipment is the service equipment corresponding to the first application program.

Description

Data processing method, device, server and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data method, a data device, a server, and a storage medium.
Background
Currently, a terminal may perform data encryption calculation on collected data to generate a digital signature, and the terminal may store the collected data and the digital signature, thereby verifying whether the collected data is tampered based on a corresponding public key, and the like.
However, in the above method, due to the limited storage capability and computing capability of some terminals, the terminals may not be able to effectively generate digital signatures and/or store data collected by the terminals, and since generating digital signatures is a data processing process, the efficiency of data processing is reduced, thereby affecting the accuracy of data verification.
Disclosure of Invention
The invention provides a data processing method, a device, a server and a storage medium, which solve the technical problem that the terminal can not effectively generate a digital signature and/or store data acquired by the terminal and can reduce the efficiency of data processing due to the limited storage capacity and calculation capacity of the terminal in the prior art.
In a first aspect, the present invention provides a data processing method, including: acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to the identifier of the first terminal group and the identifier of the first application program; acquiring a first private key and a preset hash algorithm based on the identification of the first key group, wherein the first private key is a private key included in the first key group; generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key; and sending a target data set to first service equipment, wherein the target data set comprises the original data and the target digital signature, and the first service equipment is the service equipment corresponding to the first application program.
In a second aspect, the present invention provides a data processing method, including: receiving a target data set sent by a data gateway, wherein the target data set comprises original data acquired by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first key set, the first key set is a key set corresponding to both an identifier of the first terminal set and an identifier of the first application program, and the first terminal set is a terminal set corresponding to the first terminal; sending a data verification account book query request to the blockchain management equipment, wherein the data verification account book query request comprises the identification of the first terminal group and the identification of the first application program, and the data verification account book query request is used for requesting to acquire public keys corresponding to the identification of the first terminal group and the identification of the first application program; receiving a data verification account book query response sent by the blockchain management device, wherein the data verification account book query response comprises a first public key, the first public key is a public key included by the first key group, and the first public key is determined by the blockchain management device based on the identification of the first terminal group and the identification of the first application program; and determining whether the original data has an abnormality based on the target digital signature, the first public key and the preset hash algorithm.
In a third aspect, the present invention provides a data processing method, including: receiving a key allocation request sent by a first service device, wherein the key allocation request comprises identifiers of a plurality of terminal groups and identifiers of a first application program, the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group comprises at least one terminal, the first application program is an application program corresponding to the first service device, and the key allocation request is used for requesting to allocate keys for the plurality of terminal groups; distributing key sets for the plurality of terminal sets, wherein the key set corresponding to one terminal set is the key set corresponding to both the identifier of the terminal set and the identifier of the first application program; transmitting a key allocation response to the first service device, wherein the key allocation response comprises identifiers of key groups corresponding to the terminal groups; storing the identifiers of the plurality of terminal groups, the identifiers of the first application program and the public keys corresponding to the plurality of terminal groups to a data integrity verification account book, and sending the private keys corresponding to the plurality of terminal groups and the identifiers of the key groups corresponding to the plurality of terminal groups to a data gateway, wherein the public key corresponding to one terminal group is a public key included in the key group corresponding to the identifier of the terminal group and the identifier of the first application program, and the private key corresponding to one terminal group is a private key included in the key group corresponding to the identifier of the terminal group and the identifier of the first application program.
In a fourth aspect, the present invention provides a data processing apparatus comprising: the device comprises an acquisition module, a processing module and a sending module; the acquisition module is used for acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to the identifier of the first terminal group and the identifier of the first application program; the obtaining module is further configured to obtain a first private key and a preset hash algorithm based on the identifier of the first key group, where the first private key is a private key included in the first key group; the processing module is used for generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key; the sending module is configured to send a target data set to a first service device, where the target data set includes the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
In a fifth aspect, the present invention provides a data processing apparatus comprising: the device comprises a receiving module, a sending module, a processing module and a determining module; the receiving module is configured to receive a target data set sent by a data gateway, where the target data set includes original data collected by a first application in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm, and a first private key, the first private key is a private key included in a first key set, the first key set is a key set corresponding to both an identifier of the first terminal set and an identifier of the first application, and the first terminal set is a terminal set corresponding to the first terminal; the sending module is used for sending a data verification account book query request to the blockchain management equipment, wherein the data verification account book query request comprises the identification of the first terminal group and the identification of the first application program, and the data verification account book query request is used for requesting to acquire a public key corresponding to both the identification of the first terminal group and the identification of the first application program; the receiving module is further configured to receive a data verification ledger query response sent by the blockchain management device, where the data verification ledger query response includes a first public key, where the first public key is a public key included in the first key set, and the first public key is determined by the blockchain management device based on an identifier of the first terminal set and an identifier of the first application program; the determining module is configured to determine whether the original data has an anomaly based on the target digital signature, the first public key, and the preset hash algorithm.
In a sixth aspect, the present invention provides a data processing apparatus comprising: the device comprises a receiving module, a processing module, a sending module and a storage module; the receiving module is configured to receive a key allocation request sent by a first service device, where the key allocation request includes identifiers of a plurality of terminal groups and identifiers of first application programs, the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, the first application program is an application program corresponding to the first service device, and the key allocation request is used to request to allocate keys for the plurality of terminal groups; the processing module is configured to allocate key sets for the plurality of terminal sets, where a key set corresponding to one terminal set is a key set corresponding to both the identifier of the terminal set and the identifier of the first application program; the sending module is configured to send a key allocation response to the first service device, where the key allocation response includes identifiers of key groups corresponding to the plurality of terminal groups; the storage module is used for storing the identifiers of the plurality of terminal groups, the identifiers of the first application program and the public keys corresponding to the plurality of terminal groups to the data integrity verification account book; the sending module is further configured to send, to the data gateway, the private keys corresponding to the plurality of terminal groups and the identities of the key groups corresponding to the plurality of terminal groups, where the public key corresponding to one terminal group is a public key included in the key group corresponding to the identity of the terminal group and the identity of the first application, and the private key corresponding to one terminal group is a private key included in the key group corresponding to the identity of the terminal group and the identity of the first application.
In a seventh aspect, the present invention provides a server comprising: a processor and a memory configured to store processor-executable instructions; wherein the processor is configured to execute the instructions to implement any of the above-described optional data processing methods of the first aspect, or to implement any of the above-described optional data processing methods of the second aspect, or to implement any of the above-described optional data processing methods of the third aspect.
In an eighth aspect, the present invention provides a computer readable storage medium having instructions stored thereon which, when executed by an apparatus, cause the apparatus to perform any of the above-described optional data processing methods of the first aspect, or to perform any of the above-described optional data processing methods of the second aspect, or to perform any of the above-described optional data processing methods of the third aspect.
According to the data processing method, the device, the server and the storage medium, the data gateway can acquire the original data acquired by the first application program in the first terminal, the identification of the first terminal group and the identification of the first key group; the data gateway may then obtain a first private key (i.e., the private key included in the first key set) and a pre-set hash algorithm based on the identification of the first key set, and generate a target digital signature of the original data based on the original data, the pre-set hash algorithm, and the first private key. And the data gateway may send a target data set (including the original data and the target digital signature) to the first service device. In the embodiment of the invention, the calculation encryption process of the original data (namely, the process of generating the target digital signature) can be performed in the data gateway, the target digital signature is generated based on the unique private key (namely, the first private key) corresponding to the identification of the first terminal group and the identification of the first application program, the data gateway can be ensured to accurately and effectively calculate and generate the digital signature, and the digital signature can be used for the integrity check of the data, so that the process can also ensure that the data gateway can completely store the original data, and the effectiveness of data processing can be improved. In addition, the data gateway can also send the target data set including the original data and the target digital signature to the first service device (i.e. the service device corresponding to the first application program), so that the first service device can effectively verify the integrity of the original data after receiving the target data set, and the accuracy of data verification can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
FIG. 1 is a diagram illustrating a network architecture of a data processing system according to an embodiment of the present invention;
fig. 2 is a schematic hardware diagram of a server according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a data processing method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an internal structure of a data gateway according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating another data processing method according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating another data processing method according to an embodiment of the present invention;
FIG. 7 is a flowchart of another data processing method according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating another data processing method according to an embodiment of the present invention;
FIG. 9 is a flowchart of another data processing method according to an embodiment of the present invention;
FIG. 10 is a flowchart illustrating another data processing method according to an embodiment of the present invention;
FIG. 11 is a flowchart illustrating another data processing method according to an embodiment of the present invention;
FIG. 12 is a flowchart of another data processing method according to an embodiment of the present invention;
FIG. 13 is a flowchart illustrating another data processing method according to an embodiment of the present invention;
FIG. 14 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention;
FIG. 15 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;
FIG. 16 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;
FIG. 17 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;
FIG. 18 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;
fig. 19 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present invention.
Detailed Description
The data processing method, device, server and storage medium according to the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Furthermore, references to the terms "comprising" and "having" and any variations thereof in the description of the present application are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment of the present invention is not to be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
The term "and/or" as used herein includes the use of either or both of these methods.
In the description of the present application, unless otherwise indicated, the meaning of "a plurality" means two or more.
Based on the description in the background art, since the storage capability and the computing capability of the terminal are limited in the prior art, the terminal may not be able to effectively calculate and generate a digital signature and/or store the data collected by the terminal, which may reduce the efficiency of data processing and further affect the accuracy of data verification. Based on this, the embodiment of the invention provides a data processing method, a device, a server and a storage medium, wherein the calculation encryption process of original data (i.e. the process of generating a target digital signature) can be performed in the data gateway, the generation of the target digital signature is based on the unique private key (i.e. the first private key) corresponding to the identification of the first terminal group and the identification of the first application program, so that the data gateway can be ensured to accurately and effectively calculate and generate the digital signature, and the process can also ensure that the data gateway can completely store the original data and improve the effectiveness of data processing because the digital signature can be used for the integrity check of the data. In addition, the data gateway can also send the target data set including the original data and the target digital signature to the first service device (i.e. the service device corresponding to the first application program), so that the first service device can effectively verify the integrity of the original data after receiving the target data set, and the accuracy of data verification can be improved.
The data processing method, apparatus, server and storage medium provided in the embodiments of the present invention may be applied to a data processing system, as shown in fig. 1, where the data processing system includes a terminal 101, a service device 102, a blockchain management device 103, a data gateway 104, and a data consumer device 105. In general, in practical applications, the connection between the above-mentioned devices or service functions may be a wireless connection, and for convenience and intuitiveness, the connection relationship between the devices is schematically shown by a solid line in fig. 1.
Wherein a certain application (e.g., a first application) in the terminal 101 may collect raw data and send the raw data to the data gateway 104. The first application program is an application program corresponding to the service device 102 installed in the terminal 101.
The business device 102 may manage the first application. In an embodiment of the present invention, the service device 102 may further receive a target data set sent by the data gateway 104, where the target data set includes the original data and a target digital signature of the original data, where the target digital signature is used to verify the integrity of the original data. Specifically, the service device 102 may determine whether the original data has an anomaly based on the target digital signature, a certain public key (e.g., a first public key) obtained from the blockchain management device 103, and a preset hash algorithm.
The blockchain management device 103 may assign an identification to the business device 102 (and/or the data consumer device 105), e.g., the identification of the business device 102 may be an identification of the application to which the business device 102 corresponds (i.e., the first application described above). In this embodiment of the present invention, the blockchain management device 103 may further receive a key allocation request sent by the service device 102, and allocate key groups to a plurality of terminal groups, where a specific key group corresponding to one terminal group is a key group corresponding to both the identifier of the terminal group and the identifier of the first application program. The blockchain management device 103 may further store a data integrity verification ledger, specifically, store public keys corresponding to the plurality of terminal groups, and after receiving a data verification ledger query request sent by the service device 102, the blockchain management device 103 may obtain, from the data integrity verification ledger, a public key (i.e. a first public key) corresponding to both the identifier of the first terminal group and the identifier of the first application program based on the identifier of the first terminal group and the identifier of the first application program, and send the first public key to the service device 102.
Data gateway 104 may receive raw data collected by terminal 101 from a first application in terminal 101. In this embodiment of the present invention, the data gateway 104 may further store private keys corresponding to a plurality of terminal groups and identifiers of key groups corresponding to the plurality of terminal groups, and when the data gateway 104 obtains the identifier of the first terminal group and the identifier of the first key group, the data gateway may generate a target digital signature of the original data based on the original data, a preset hash algorithm and the first private key, and send the original data and the target digital signature to the service device 102.
The data consumer device 105 may receive the identification assigned to it by the blockchain management device 103. In an embodiment of the present invention, the data consumer device 105 may also receive the target data set (including the original data and the target digital signature) sent by the data gateway 104. Specifically, the data consumer device 105 may determine whether there is an anomaly in the original data after receiving the original data and the target digital signature.
It should be noted that 1 terminal, 1 service device, 1 blockchain management device, 1 data gateway, and 1 data consumer device shown in fig. 1 are only examples of embodiments of the present invention. The number of the above-described respective devices is not particularly limited in the embodiment of the present invention.
In an embodiment of the present invention, the terminal 101 shown in fig. 1 may be: a cell phone, tablet, notebook, ultra mobile personal computer (Ultra-mobile Personal Computer, UMPC), netbook or personal digital assistant (Personal Digital Assistant, PDA), internet of things terminal (e.g., inspection robot or industrial sensor), etc.
Illustratively, a data gateway (e.g., data gateway 104 in fig. 1) performing the data processing method provided by the embodiment of the present invention may be a server. Fig. 2 is a schematic hardware structure of a server according to an embodiment of the present invention. As shown in fig. 2, the server 20 includes a processor 201, a memory 202, a network interface 203, and the like.
The processor 201 is a core component of the server 20, and the processor 201 is configured to run an operating system of the server 20 and application programs (including a system application program and a third party application program) on the server 20, so as to implement a data processing method of the server 20.
In an embodiment of the present invention, the processor 201 may be a central processing unit (central processing unit, CPU), microprocessor, digital signal processor (digital signal processor, DSP), application-specific integrated circuit (application-specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic device, transistor logic device, hardware components, or any combination thereof, capable of implementing or executing the various exemplary logic blocks, modules and circuits described in connection with the disclosure of embodiments of the present invention; a processor may also be a combination that performs computing functions, e.g., including one or more microprocessors, a combination of a DSP and a microprocessor, and the like.
Optionally, the processor 201 of the server 20 includes one or more CPUs, either single-core or multi-core.
Memory 202 includes, but is not limited to, random access memory (random access memory, RAM), read Only Memory (ROM), erasable programmable read only memory (erasable programmable read-only memory, EPROM), flash memory, optical memory, or the like. The memory 202 stores the code of the operating system.
Optionally, the processor 201 implements the data processing method in the embodiment of the present invention by reading the instruction stored in the memory 202, or the processor 201 implements the data processing method provided in the embodiment of the present invention by an instruction stored internally. In the case where the processor 201 implements the data processing method provided by the embodiment of the present invention by reading the execution stored in the memory, the instruction for implementing the data processing method provided by the embodiment of the present invention is stored in the memory.
The network interface 203 is a wired interface such as a fiber optic distributed data interface (fiber distributed data interface, FDDI), gigabit Ethernet (GE) interface. Alternatively, the network interface 203 is a wireless interface. The network interface 203 is used for the server 20 to communicate with other devices.
The memory 202 is used for storing the original data of the first terminal, the identification of the first terminal group and the identification of the first key group. The at least one processor 201 further performs the method described in the embodiments of the present invention based on the original data of the first terminal, the identification of the first terminal group, and the identification of the first key group stored in the memory 202. For more details on the implementation of the above-described functions by the processor 201, reference is made to the description of the various method embodiments described below.
Optionally, the server 20 further comprises a bus, and the processor 201 and the memory 202 are connected to each other via a bus 204, or connected to each other in other manners.
Optionally, the server 20 further includes an input-output interface 205, where the input-output interface 205 is configured to connect to an input device, and receive a digital signature generation request input by a user through the input device. Input devices include, but are not limited to, a keyboard, touch screen, microphone, and the like. The input-output interface 205 is also used to connect with an output device, and output the digital signature generation result of the processor 201 (i.e., generate the target digital signature). Output devices include, but are not limited to, displays, printers, and the like.
In the embodiment of the present invention, the hardware structure of the service device (for example, the service device 102 in fig. 1) and the hardware structure of the blockchain management device (for example, the blockchain management device 103 in fig. 1) are similar to the hardware structure of the server 20 shown in fig. 2, and the description of the hardware structure of the service device and the hardware structure of the blockchain management device may refer to the description of the hardware structure of the server 20, which is not described in detail herein.
The data processing method, the device, the server and the storage medium provided by the embodiment of the invention are applied to an application scene of data processing (particularly, calculating and generating a digital signature on data collected by a terminal and storing the collected data and the digital signature). When the data gateway obtains the original data collected by the first application program in the first terminal, the identifier of the first terminal group and the identifier of the first key group, the data gateway may obtain a first private key and a preset hash algorithm based on the identifier of the first key group, generate a target digital signature of the original data based on the original data, the hash algorithm and the first private key, and send the original data and the target digital signature to the first service device. The calculation encryption process of the original data (namely, the process of generating the target digital signature) can be performed in the data gateway, the target digital signature is generated based on the unique private key (namely, the first private key) corresponding to the identification of the first terminal group and the identification of the first application program, the data gateway can be ensured to accurately and effectively calculate and generate the digital signature, and the digital signature can be used for the integrity check of the data, so that the process can also ensure that the data gateway can completely store the original data, and the effectiveness of data processing can be improved. In addition, the data gateway can also send the target data set including the original data and the target digital signature to the first service device (i.e. the service device corresponding to the first application program), so that the first service device can effectively verify the integrity of the original data after receiving the target data set, and the accuracy of data verification can be improved.
As shown in fig. 3, when the data processing method is applied to the data gateway 104, the data processing method provided by the embodiment of the present invention may include S101-S104.
S101, the data gateway acquires original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group.
The first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application program.
It should be understood that the first terminal may include (or install) a plurality of applications, where the first application is one of the plurality of applications, and the first application is an application corresponding to (or provided by) a certain service device (e.g., a first service device), and it may also be understood that the first service device is used to manage the first application.
It may be appreciated that the original data of the first terminal is specifically the original data collected by the first application installed in the first terminal, and the original data may be the environmental data collected by the first application and/or log data generated by the first application. The first terminal may send the original data to the data gateway after acquiring the original data, so that the data gateway may acquire the original data.
In the embodiment of the present invention, a terminal group may correspond to (or include) at least one terminal, and the first terminal is one of the at least one terminal corresponding to the first terminal group.
S102, the data gateway acquires a first private key and a preset hash algorithm based on the identification of the first key group.
The first private key is a private key included in the first key set.
It should be appreciated that the data gateway may store identifiers of a plurality of key sets and private keys corresponding to the identifiers of the plurality of key sets, and after acquiring the identifier of the first key set, the data gateway may determine and acquire the first private key from the private keys corresponding to the identifiers of the plurality of key sets based on the identifier of the first key set.
In an implementation manner of the embodiment of the present invention, the data gateway may further obtain an identifier of the first application program, and determine the first key set from the plurality of key sets based on the identifier of the first terminal set and the identifier of the first application program (i.e., obtain the identifier of the first key set), so as to obtain the first private key.
Optionally, the preset hash algorithm may be obtained by the data gateway based on the identifier of the first key group, that is, the preset hash algorithm is a hash algorithm corresponding to the first key group; the preset hash algorithm may also be a fixed hash algorithm, i.e. the hash algorithm used by the plurality of key sets is the same.
And S103, the data gateway generates a target digital signature of the original data based on the original data, a preset hash algorithm and the first private key.
Specifically, the data gateway may generate a third digest based on the original data and the preset hash algorithm, and then generate the target digital signature based on the third digest and the first private key.
And S104, the data gateway sends the target data group to the first service equipment.
The target data set comprises the original data and the target digital signature, and the first service device is the service device corresponding to the first application program.
It should be appreciated that the data gateway sends the target data set to the first service device, so that the first service device may receive the target data set, and further the first service device may verify the obtained original data, i.e. verify whether the original data has an abnormal situation, for example, determine whether the original data has been tampered with, etc.
In one implementation of the embodiment of the present invention, the data gateway may further send the target data set to a data consumer device, so that the data consumer device may obtain the original data and the target digital signature of the original data, and determine whether there is an anomaly in the original data.
As shown in fig. 4, the data gateway provided by the embodiment of the present invention may include an interface Ia, an interface Ib, a plug-in management module, a key management module, and a block link point module.
The interface Ia and the interface Ib are respectively configured to receive the original data sent by the first terminal and send the target data set to a first service device (or a data consumer device).
The plugin management module may include a plurality of application plugins (for example, application plugin 1), where the application plugin 1 may be a plugin of the first application, and the data gateway may install the plugin of the first application in the plugin management module. The first plug-in may receive (e.g., via the interface Ia) the original data sent by the first terminal, and combine the private key obtained from the key management module with a preset algorithm to generate the target digital signature.
The key management module may include a private key (e.g., private key 1) included in each of the plurality of private key groups and a hash algorithm (e.g., hash algorithm 1) of each of the plurality of private keys, and the key management module may further send the private key 1 and the hash algorithm 1 to the plug-in management module.
The block link point module is configured to transmit a private key included in each of a plurality of key sets (specifically, transmitted to a key management module of the data gateway) sent by the blockchain management device. The blockchain node module is also used for carrying out uplink storage on the usage data of the plurality of private keys.
The technical scheme provided by the embodiment at least has the following beneficial effects: S101-S104, the data gateway can acquire the original data acquired by the first application program in the first terminal, the identification of the first terminal group and the identification of the first key group; the data gateway may then obtain a first private key (i.e., the private key included in the first key set) and a pre-set hash algorithm based on the identification of the first key set, and generate a target digital signature of the original data based on the original data, the pre-set hash algorithm, and the first private key. And the data gateway may send a target data set (including the original data and the target digital signature) to the first service device. In the embodiment of the invention, the calculation encryption process of the original data (namely, the process of generating the target digital signature) can be performed in the data gateway, the target digital signature is generated based on the unique private key (namely, the first private key) corresponding to the identification of the first terminal group and the identification of the first application program, the data gateway can be ensured to accurately and effectively calculate and generate the digital signature, and the digital signature can be used for the integrity check of the data, so that the process can also ensure that the data gateway can completely store the original data, and the effectiveness of data processing can be improved. In addition, the data gateway can also send the target data set including the original data and the target digital signature to the first service device (i.e. the service device corresponding to the first application program), so that the first service device can effectively verify the integrity of the original data after receiving the target data set, and the accuracy of data verification can be improved.
Referring to fig. 3, as shown in fig. 5, the data processing method provided in the embodiment of the present invention may further include S105-S106.
S105, the data gateway acquires the first use certificate.
The first use certificate is a key use certificate corresponding to the first key group.
It should be appreciated that the data gateway may use a key corresponding to a certain key usage credential (e.g., the first usage credential) based on the first key usage credential, specifically a first private key included in the first key set.
S106, the data gateway determines whether the first using certificate is identical to the second using certificate.
The second use certificate is a key use certificate corresponding to the first application program.
It will be appreciated that the key usage credential corresponding to an application (e.g., a first application), specifically, the key usage credential corresponding to data collected by the first application (i.e., the original data described above), the data gateway may use the corresponding private key based on the corresponding key usage credential (e.g., the second usage credential) to encrypt the original data.
In the embodiment of the invention, the data gateway can acquire the corresponding (namely, the corresponding key using certificate) private key only under the condition that the key using certificate which corresponds to the original data is acquired, thereby completing the encryption process of the original data.
In one case, when the first usage certificate is the same as the second usage certificate, it is indicated that the key usage certificate corresponding to the first key group is the same as the key usage certificate corresponding to the original data, and the data gateway may encrypt the original data by using the private key (i.e. the first private key) included in the first key group to generate the target digital signature.
In another case, when the first usage certificate and the second usage certificate are different, it is indicated that the key usage certificate corresponding to the first key group is different from the key usage certificate corresponding to the original data, and the data gateway cannot encrypt the original data using the first private key.
Continuing with fig. 5, the acquiring the first private key based on the identification of the first private key includes S1021.
S1021, when the first using certificate is the same as the second using certificate, the data gateway obtains the first private key based on the identification of the first key group.
In connection with the above description of the embodiments, it should be understood that when the first usage certificate is the same as the second usage certificate, it is explained that the key usage certificate corresponding to the first key group is the same as the key usage certificate corresponding to the original data, and the data gateway can obtain and use the first private key.
Referring to fig. 3, as shown in fig. 6, the data processing method provided in the embodiment of the present invention further includes S107.
And S107, the data gateway acquires the identification of the first terminal and the identification of the first application program.
Continuing with fig. 6, the obtaining of the identification of the first terminal group and the identification of the first key group may specifically include S1011-S1012.
S1011, the data gateway sends an information acquisition request to the first service equipment.
The information acquisition request includes an identifier of the first terminal and an identifier of the first application program, and is used for requesting to acquire the identifier of the first terminal group and the identifier of the first key group.
S1012, the data gateway receives the information acquisition response sent by the first service equipment.
The information acquisition response includes an identifier of the first terminal group and an identifier of the first key group, where the identifier of the first terminal group is acquired by the first service device based on the identifier of the first terminal, and the identifier of the first key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application program.
It should be understood that, after receiving the information acquisition request sent by the data gateway, the first service device may acquire the identifier of the first terminal group based on the identifier of the first terminal included in the information acquisition request, further acquire the identifier of the first key group, and then send an information acquisition response to the data gateway. In this way, the data gateway can obtain the identity of the first terminal group and the identity of the first key group.
As shown in fig. 7, when the data processing method is applied to the service device 102 (i.e., the first service device) shown in fig. 1, the data processing method provided by the embodiment of the present invention may include S201 to S204.
S201, the first business equipment receives a target data group sent by the data gateway.
The target data set comprises original data collected by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first key set, the first key set is a key set corresponding to both an identifier of the first terminal set and an identifier of the first application program, and the first terminal set is a terminal set corresponding to the first terminal set.
In connection with the above description of the embodiments, it should be understood that the first application in the first terminal may send the raw data to the data gateway after collecting the raw data, the data gateway may generate a target digital signature of the raw data in connection with the preset hash algorithm and the first private key, and send a target data set including the raw data and the target digital signature to the data gateway.
S202, the first business device sends a data verification account book query request to the blockchain management device.
The data verification account book query request comprises an identifier of the first terminal group and an identifier of the first application program, and is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program.
It should be appreciated that the blockchain management device stores a data integrity verification ledger, where the data integrity verification ledger includes public keys of a plurality of key sets, and after receiving the data verification ledger query request, the blockchain management device may query and obtain public keys corresponding to both the identification of the first terminal set and the identification of the first application program from the data integrity verification ledger based on the identification of the first terminal set and the identification of the first application program.
S203, the first business device receives a data verification account book query response sent by the blockchain management device.
The data verification account book query response comprises a first public key, wherein the first public key is a public key included in the first key group, and the first public key is determined by the blockchain management device based on the identification of the first terminal group and the identification of the first application program.
It will be appreciated that a private key and a public key may be included in a key set. The data gateway may store private keys of each of a plurality of key sets, and the blockchain management device (specifically, the data verification ledger) may store public keys of each of the plurality of key sets.
S204, the first business device determines whether the original data is abnormal or not based on the target digital signature, the first public key and a preset hash algorithm.
It should be understood that the preset hash algorithm in the embodiment of the present invention may also be a preset digest algorithm.
In one implementation manner of the embodiment of the present invention, for a certain data consumer device (for example, the data consumer device 105 in fig. 1), the data consumer device may also receive the target data set sent by the data gateway, and send the data verification ledger query request to the blockchain management device, so as to determine whether the original data acquired by the data consumer device has an abnormal situation. The description of determining whether the original data has an abnormal condition by the data consumer device is the same as or similar to the explanation of determining whether the original data has an abnormal condition by the first service device, and will not be repeated here.
The technical scheme provided by the embodiment at least has the following beneficial effects: as known from S201 to S204, the first service device may receive a target data set including original data collected by a first application program in the first terminal and a target digital signature of the original data, which is sent by the data gateway; then the first service device may send a data verification ledger query request to the blockchain management device, that is, request to obtain a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program, and receive a data verification ledger query response including the first public key sent by the blockchain device; and then, the first business device determines whether the original data has abnormality or not based on the target digital signature, the first public key and a preset digest algorithm. In the embodiment of the invention, the first service equipment can acquire the original data and the target digital signature from the data gateway, and acquire the corresponding public key (namely the first public key) from the blockchain management equipment, so that whether the original data has abnormality or not is verified, the data processing efficiency can be improved, and the accuracy of data verification is improved.
Referring to fig. 7, as shown in fig. 8, in an implementation manner of the embodiment of the present invention, the determining whether the original data has an anomaly based on the target digital signature, the first public key and the preset hash algorithm may specifically include S2041-S2042.
S2041, the first service device generates a first digest based on the target digital signature and the first public key, and generates a second digest based on the original data and a preset hash algorithm.
And S2042, under the condition that the first abstract is the same as the second abstract, the first business equipment determines that the original data is not abnormal.
It may be appreciated that when the first digest is identical to the second digest, indicating that the storage of the original data is complete, i.e. the original data has not been tampered with, the first service device may determine that there is no anomaly in the original data.
Optionally, when the first digest is different from the second digest, it indicates that the original data is not completely saved, and the original data may have been tampered, i.e., there is an anomaly in the original data.
Referring to fig. 7, as shown in fig. 9, the data processing method provided in the embodiment of the present invention may further include S205 to S206.
S205, the first service equipment sends a key allocation request to the blockchain management equipment.
The key allocation request includes identifiers of a plurality of terminal groups and identifiers of the first application program, the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, and the key allocation request is used for requesting to allocate keys for the plurality of terminal groups.
In connection with the above description of the embodiments, it should be understood that the first application is an application corresponding to the first service device. Each terminal (e.g., first terminal) included in each terminal group (e.g., first terminal group) of the plurality of terminal groups is a terminal to which the first application is installed.
In one case of the embodiment of the present invention, the first service device may divide the plurality of terminals installed with the first application into a plurality of terminal groups according to the functional characteristics. For example, the first service device may divide the inspection robot responsible for the inspection work into one terminal group, divide the sensors with the same function into one terminal group, and so on. In another case, the first service device may divide the plurality of terminals, on which the first application is installed, into a plurality of terminal groups according to a distance (or location information) between the respective terminals. For example, the first service device may divide some two terminals whose distance difference is smaller than the distance threshold into one terminal group. The embodiment of the present invention does not specifically limit the manner of dividing the terminal group.
S206, the first business equipment receives a key allocation response sent by the block chain management equipment.
The key allocation response includes the identities of the key groups corresponding to the terminal groups, and the identity of the key group corresponding to one terminal group is the identity of the key group corresponding to both the identity of the terminal group and the identity of the first application program.
It should be understood that the blockchain management device may receive key allocation requests sent by multiple service devices (including the first service device), that is, the blockchain management device needs to allocate keys not only for multiple terminal groups corresponding to the first service device, but also for terminal groups corresponding to other service devices, where the identifier of the terminal group may be used to distinguish different terminal groups under the same service device, and the identifier of the application (e.g., the identifier of the first application) may be used to distinguish different service devices.
The first service device may obtain the identities of the key sets corresponding to the terminal sets corresponding to the first service device, specifically, the identities of the key sets corresponding to the identities of each terminal set in the terminal sets and the identities of the first application program, for example, the identities of the first terminal set and the identities of the first application program (i.e., the identities of the first key set).
Referring to fig. 7, as shown in fig. 10, the data processing method provided in the embodiment of the present invention may further include S207 to S210.
S207, the first service equipment receives an information acquisition request sent by the data gateway.
The information acquisition request includes an identifier of the first terminal and an identifier of the first application program, and is used for requesting to acquire the identifier of the first terminal group and the identifier of the first key group.
In connection with the above description of the embodiments, it should be understood that the first terminal group is a terminal group corresponding to the first terminal (i.e., the first terminal is one of at least one terminal included in the first terminal group), the first terminal group is one of the plurality of terminal groups, and the plurality of terminal groups are terminal groups corresponding to the first service device.
S208, the first service equipment acquires the identification of the first terminal group from the first corresponding relation based on the identification of the first terminal.
The first correspondence relationship includes identifiers of a plurality of terminal groups and identifiers of terminals corresponding to the identifiers of the terminal groups.
It can be understood that the plurality of terminal groups are terminal groups corresponding to the first service device. After receiving the information obtaining request, the first service device may obtain, from the first correspondence, the identifier of the terminal group corresponding to the identifier of the first terminal, that is, obtain the identifier of the first terminal group, based on the identifier of the first terminal included in the information obtaining request.
For example, table 1 below is an example of a first correspondence provided in an embodiment of the present invention.
As shown in table 1, the first correspondence relationship includes the identities of 3 terminal groups (i.e., the identities 01, 02, and 03), and the identities of the terminals to which the identities of the 3 terminal groups respectively correspond. Specifically, the identifier of the terminal corresponding to the identifier 01 includes an identifier 04, the identifier of the terminal corresponding to the identifier 02 includes an identifier 05, an identifier 06 and an identifier 07, and the identifier of the terminal corresponding to the identifier 03 includes an identifier 08 and an identifier 09.
TABLE 1
Identification of terminal group Identification of terminal
Sign 01 Sign 04
Sign 02 Sign 05, sign 06, sign 07
Identification 03 Sign 08, sign 09
Assuming that the identifier of the first terminal is identifier 04, the first service device determines that the identifier of the first terminal group is identifier 01.
S209, under the condition that the second corresponding relation contains the identifiers of the key sets corresponding to the identifiers of the first terminal set and the identifiers of the first application programs, the first service equipment acquires the identifiers of the key sets corresponding to the identifiers of the first terminal set and the identifiers of the first application programs, and determines the acquired identifiers of the key sets as the identifiers of the first key sets.
It should be appreciated that the identity of a terminal group may correspond to the identities of a plurality of key groups, and the identity of an application may also correspond to the identities of a plurality of key groups. In the embodiment of the present invention, the first service device may determine the identifier of the first key set from the identifiers of the plurality of key sets stored in the second correspondence based on the identifier of a certain terminal set (for example, the first terminal set) and the identifier of a certain application program (for example, the first application program).
For example, table 2 below is an example of the second correspondence provided in the embodiment of the present invention.
As shown in table 2, the identities of the terminal group include 3 identities, namely, identity 01, identity 02, and identity 03. The application programs comprise 3 identifiers, specifically an identifier 11, an identifier 12 and an identifier 13. The identities of the 4 key sets are identity 16, identity 17, identity 18 and identity 19, respectively. The identity of the key group corresponding to the identity 01 and the identity 11 is the identity 16, the identity of the key group corresponding to the identity 01 and the identity 12 is the identity 17, the identity of the key group corresponding to the identity 02 and the identity 11 is the identity 18, and the identity of the key group corresponding to the identity 03 and the identity 13 is the identity 19.
TABLE 2
Identification of terminal group Identification of application programs Identification of key sets
Sign 01 Sign 11 Sign 16
Sign 01 Sign 12 Sign 17
Sign 02 Sign 11 Sign 18
Identification 03 Sign 13 Sign 19
In combination with the example in table 1 above, assuming that the identifier of the first application is identifier 12, the first service device determines that the identifier of the first key set is identifier 17.
S210, the first service equipment sends an information acquisition response to the data gateway.
Wherein the information acquisition response includes an identification of the first terminal group and an identification of the first key group.
The data gateway may receive the identifier of the first terminal group and the identifier of the first key group sent by the first service device.
As shown in fig. 11, when the data processing method is applied to the blockchain management device 103 shown in fig. 1, the data processing method provided by the embodiment of the present invention may include S301 to S304.
S301, the block chain management device receives a key allocation request sent by the first service device.
The key allocation request includes identifiers of a plurality of terminal groups and identifiers of a first application program, the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, the first application program is an application program corresponding to the first service device, and the key allocation request is used for requesting to allocate keys for the plurality of terminal groups.
S302, the block chain management device distributes key sets for a plurality of terminal sets.
The key set corresponding to one terminal set is a key set corresponding to both the identifier of the terminal set and the identifier of the first application program.
In connection with the above description of the embodiments, it should be understood that a set of keys includes a private key and a public key. The blockchain management device allocates key sets for the plurality of terminal sets, namely, allocates private keys and public keys for the plurality of terminal sets.
Alternatively, the blockchain management device may allocate different key sets to the plurality of terminal groups, or may allocate the same key set to the plurality of terminal groups. In the embodiment of the disclosure, the blockchain device is taken as an example to allocate different key sets for the plurality of terminal sets.
S303, the block chain management device sends a key allocation response to the first service device.
The key allocation response includes the identities of the key groups corresponding to the terminal groups.
In connection with the above description of the embodiments, it should be understood that the identifier of the key set corresponding to each of the plurality of terminal sets is the identifier of the key set corresponding to both the identifier of each of the terminal sets and the identifier of the first application.
It will be appreciated that the key allocation response is used to inform the first service device that the key group (or key) allocation corresponding to each of the plurality of terminal groups was successful. The blockchain management device sends the identities of the key groups corresponding to the terminal groups to the first service device, so that the data gateway can acquire the identities of the key groups corresponding to the terminal groups (such as the identities of the first key group) from the first service device.
S304, the blockchain management device stores the identifiers of the plurality of terminal groups, the identifiers of the first application program and the public keys corresponding to the plurality of terminal groups to the data integrity verification account book, and sends the private keys corresponding to the plurality of terminal groups and the identifiers of the key groups corresponding to the plurality of terminal groups to the data gateway.
The public key corresponding to one terminal group is a public key included in a secret key group corresponding to the identifier of the terminal group and the identifier of the first application program, and the private key corresponding to one terminal group is a private key included in a secret key group corresponding to the identifier of the terminal group and the identifier of the first application program.
In connection with the above description of the embodiments, it should be understood that the plurality of terminal groups are terminal groups corresponding to a first service device, and the first application program is an application program corresponding to the first service device. The key set corresponding to each terminal set in the plurality of terminal sets is a key set corresponding to the identifier of each terminal set and the identifier of the first application program, and one key set comprises a private key and a public key.
The data integrity verification ledger is configured to store (or may include) public keys corresponding to the plurality of terminal groups, so that the first service device (or the data consumer device) may obtain a certain public key (e.g., a first public key) from the blockchain management device (specifically, the data integrity verification ledger).
Optionally, the data integrity verification ledger may further include an identifier of a key set corresponding to each of the plurality of terminals.
It should be noted that the embodiment of the present invention is not limited to the execution sequence of S303 and S304. For example, S303 may be performed first and then S304 may be performed, S304 may be performed first and then S303 may be performed, or S303 and S304 may be performed simultaneously. For convenience of explanation, an example is illustrated in fig. 11 in which S303 is performed first and S304 is performed later.
In the embodiment of the invention, the blockchain management device may send the private keys corresponding to the terminal groups and the identifiers of the key groups corresponding to the terminal groups to the data gateway, so that the data gateway may obtain the private keys corresponding to the terminal groups and the identifiers of the key groups corresponding to the terminal groups, and further complete the encryption process of the original data based on the relevant private keys (for example, the first private key).
The technical scheme provided by the embodiment at least has the following beneficial effects: S301-S304 can know that the block chain management device receives a key allocation request sent by a first service device, namely, requests to allocate keys for a plurality of terminal groups corresponding to the first service device; the blockchain management device may then assign a set of keys (specifically, a private key and a public key) for the plurality of terminal groups; the blockchain management device may send a key assignment response to the first service device including an identification of a key set corresponding to each of the plurality of terminal groups, such that the first service device may receive an identification of a key set (e.g., a first key set) corresponding to each of the terminal groups (e.g., the first terminal group) and an identification of the first application program, such that the data gateway may obtain the identification of the first key set from the first service device. And the blockchain management device may store the identifiers of the plurality of terminal groups, the identifiers of the first application program, and the public keys corresponding to the plurality of terminal groups to a data integrity ledger, so that the first service device may obtain a corresponding public key (e.g., a first public key) when verifying the integrity of the original data; and the blockchain management device may further send the private keys corresponding to the plurality of terminal groups and the identities of the key groups corresponding to the plurality of terminal groups to the data gateway, so that the data gateway may encrypt the original data based on the corresponding private key (i.e., the first private key) to generate the target digital signature. The method can accurately and effectively distribute the secret key group (comprising the private key and the public key) for the terminal group, and issue the identification of the secret key group, thereby improving the data transmission and processing efficiency, and further improving the accuracy of data encryption and data verification.
Referring to fig. 11, as shown in fig. 12, the data processing method provided in the embodiment of the present invention may further include S305 to S307.
S305, the blockchain management device receives a data verification account book query request sent by the first service device.
The data verification account book query request includes an identifier of a first terminal group and an identifier of the first application program, and is used for requesting to obtain a public key corresponding to the identifier of the first terminal group and the identifier of the first application program, where the first terminal group is one of the plurality of terminal groups.
In connection with the above description of the embodiments, it should be understood that the first terminal group is a terminal group corresponding to the first terminal (i.e., a terminal that collects raw data) described above.
S306, the blockchain management device obtains public keys corresponding to the identification of the first terminal group and the identification of the first application program from the data integrity verification account book based on the identification of the first terminal group and the identification of the first application program, and determines the obtained public keys as first public keys.
The first public key is a public key included in a first key set, and the first key set is a key set corresponding to both the identifier of the first terminal set and the identifier of the first application program.
In connection with the above description of the embodiments, it should be understood that the blockchain management device (specifically, the data integrity verification ledger) stores therein key sets corresponding to identifiers of a plurality of terminal groups, and specifically, for each terminal group of the plurality of terminal groups, the data integrity verification ledger stores therein key sets corresponding to identifiers of the first application program and each terminal group. Because a secret key group comprises a public key and a private key, the private key and the public key corresponding to the identification of the first application program and the identification of each terminal group are stored in the data integrity verification account book, and the blockchain management equipment can acquire and determine the first public key from the data integrity verification account book.
S307, the blockchain management device sends a data verification ledger response to the first business device.
Wherein the data validation ledger response includes the first public key.
Thus, the first service device can acquire the first public key, namely, acquire the public key corresponding to the identifier of the first terminal group and the identifier of the first application program, so that the verification process of the original data can be completed.
As shown in fig. 13, when the data processing method is applied to the process of interaction of the respective devices in the data processing system shown in fig. 1, the data processing method may include S401 to S411.
S401, the data gateway acquires original data acquired by a first application program in the first terminal, an identifier of the first terminal group and an identifier of the first key group.
The first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application program.
S402, the data gateway acquires a first private key and a preset hash algorithm based on the identification of the first key group.
The first private key is a private key included in the first key set.
S403, the data gateway generates a target digital signature of the original data based on the original data, a preset hash algorithm and the first private key.
S404, the data gateway sends the target data group to the first service equipment.
The target data set comprises the original data and the target digital signature, and the first service device is the service device corresponding to the first application program.
S405, the first business equipment receives a target data group sent by the data gateway.
S406, the first business device sends a data verification account book query request to the blockchain management device.
The data verification account book query request comprises an identifier of the first terminal group and an identifier of the first application program, and is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program.
S407, the blockchain management device receives a data verification account book query request sent by the first service device.
S408, the blockchain management device acquires public keys corresponding to the identification of the first terminal group and the identification of the first application program from the data integrity account book based on the identification of the first terminal and the identification of the first application program, and determines the acquired public keys as first public keys.
The first public key is a public key included in a first key set, and the first key set is a key set corresponding to both the identifier of the first terminal set and the identifier of the first application program.
S409, the block chain management device sends a data verification ledger inquiry response to the first business device.
Wherein the data validation ledger query response includes the first public key.
S410, the first business device receives a data verification account book query response sent by the blockchain management device.
S411, the first service device determines whether the original data has an abnormality based on the target digital signature, the first public key and a preset hash algorithm.
It should be noted that, the explanation in S401 to S411 may refer to the description of the related steps in the embodiment of the present invention, and will not be repeated here.
The embodiment of the invention can divide the functional modules of the data gateway, the first service device, the blockchain management device and the like according to the method example, for example, each functional module can be divided corresponding to each function, and two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present invention, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
In the case of dividing the respective functional modules by the respective functions, fig. 14 shows a schematic diagram of one possible configuration of the data processing apparatus (specifically, the data gateway) involved in the above-described embodiment, and as shown in fig. 14, the data processing apparatus 30 may include: an acquisition module 301, a processing module 302 and a sending module 303.
The obtaining module 301 is configured to obtain original data collected by a first application in a first terminal, an identifier of a first terminal group, and an identifier of a first key group, where the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application.
The obtaining module 301 is further configured to obtain a first private key and a preset hash algorithm based on the identifier of the first key group, where the first private key is a private key included in the first key group.
A processing module 302, configured to generate a target digital signature of the original data based on the original data, the preset hash algorithm, and the first private key.
And the sending module 303 is configured to send a target data set to a first service device, where the target data set includes the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
Optionally, the data processing device 30 further comprises a determination module 304.
The obtaining module 301 is further configured to obtain a first usage credential, where the first usage credential is a key usage credential corresponding to the first key set.
A determining module 304 is configured to determine whether the first usage credential is identical to a second usage credential, where the second usage credential is a key usage credential corresponding to the first application program.
The processing module 302 is specifically configured to obtain the first private key based on the identification of the first key group when the first usage credential is the same as the second usage credential.
Optionally, the data processing device 30 further comprises a receiving module 305.
The obtaining module 301 is further configured to obtain an identifier of the first terminal and an identifier of the first application.
The sending module 303 is further configured to send an information acquisition request to the first service device, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application, and the information acquisition request is used to request to acquire an identifier of the first terminal group and an identifier of the first key group.
The receiving module 305 is configured to receive an information acquisition response sent by the first service device, where the information acquisition response includes an identifier of the first terminal group and an identifier of the first key group, where the identifier of the first terminal group is acquired by the first service device based on the identifier of the first terminal, and the identifier of the first key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application program.
In case of an integrated unit, fig. 15 shows a schematic diagram of one possible structure of the data processing device (in particular, the data gateway) involved in the above-described embodiment. As shown in fig. 15, the data processing apparatus 40 may include: a processing module 401 and a communication module 402. The processing module 401 may be used to control and manage the actions of the data processing apparatus 40. The communication module 402 may be used to support communication of the data processing apparatus 40 with other entities. Optionally, as shown in fig. 15, the data processing device 40 may further include a storage module 403 for storing program codes and data of the data processing device 40.
The processing module 401 may be a processor or a controller (e.g., may be the processor 201 shown in fig. 2 and described above). The communication module 402 may be a transceiver, a transceiver circuit, a communication interface, or the like (e.g., may be the network interface 203 described above and shown in fig. 2). The memory module 403 may be a memory (e.g., may be the memory 202 described above and shown in fig. 2).
When the processing module 401 is a processor, the communication module 402 is a transceiver, and the storage module 403 is a memory, the processor, the transceiver, and the memory may be connected through a bus. The bus may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, or the like. The buses may be divided into address buses, data buses, control buses, etc.
In the case of dividing the respective functional modules by the respective functions, fig. 16 shows a schematic diagram of one possible configuration of the data processing apparatus (specifically, the first service device) related to the above embodiment, and as shown in fig. 16, the data processing apparatus 50 may include: a receiving module 501, a transmitting module 502 and a determining module 503.
The receiving module 501 is configured to receive a target data set sent by a data gateway, where the target data set includes original data collected by a first application in a first terminal and a target digital signature of the original data, where the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm, and a first private key, where the first private key is a private key included in a first key set, and the first key set is a key set corresponding to both an identifier of the first terminal set and an identifier of the first application, and the first terminal set is a terminal set corresponding to the first terminal.
The sending module 502 is configured to send a data verification ledger query to a blockchain management device, where the data verification ledger query includes an identifier of the first terminal group and an identifier of the first application program, and the data verification ledger query is configured to request to obtain a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program.
The receiving module 501 is further configured to receive a data verification ledger query response sent by the blockchain management device, where the data verification ledger query response includes a first public key, where the first public key is a public key included in the first key set, and the first public key is determined by the blockchain management device based on the identifier of the first terminal set and the identifier of the first application program.
A determining module 503, configured to determine whether the original data has an anomaly based on the target digital signature, the first public key and the preset hash algorithm.
Optionally, the data processing apparatus 50 further comprises a processing module 504.
A processing module 504 is configured to generate a first digest based on the target digital signature and the first public key, and generate a second digest based on the original data and the preset hash algorithm.
The determining module 503 is specifically configured to determine that the original data has no abnormality if the first digest is the same as the second digest.
Optionally, the sending module 502 is further configured to send a key allocation request to the blockchain management device, where the key allocation request includes an identifier of a plurality of terminal groups and an identifier of the first application, where the plurality of terminal groups are terminal groups corresponding to the first service device, and one terminal group includes at least one terminal, and the key allocation request is used to request to allocate keys for the plurality of terminal groups.
The receiving module 501 is further configured to receive a key allocation response sent by the blockchain management device, where the key allocation response includes identifiers of key groups corresponding to the multiple terminal groups, and the identifier of the key group corresponding to one terminal group is an identifier of the key group corresponding to both the identifier of the terminal group and the identifier of the first application program.
Optionally, the data processing device 50 further comprises an acquisition module 505.
The receiving module 501 is further configured to receive an information acquisition request sent by the data gateway, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application, and the information acquisition request is used to request to acquire an identifier of the first terminal group and an identifier of the first key group.
The obtaining module 505 is configured to obtain, based on the identifier of the first terminal, the identifier of the first terminal group from a first correspondence, where the first correspondence includes identifiers of a plurality of terminal groups and identifiers of terminals corresponding to the identifiers of the plurality of terminal groups.
The obtaining module 505 is further configured to obtain, when the second correspondence relationship includes an identifier of a key set corresponding to both the identifier of the first terminal set and the identifier of the first application, an identifier of a key set corresponding to both the identifier of the first terminal set and the identifier of the first application.
The determining module 503 is further configured to determine the obtained identity of the key set as the identity of the first key set.
The sending module 502 is further configured to send an information acquisition response to the data gateway, where the information acquisition response includes the identifier of the first terminal group and the identifier of the first key group.
In case of an integrated unit, fig. 17 shows a possible structural schematic diagram of the data processing apparatus (in particular the first service device described above) involved in the above-described embodiment. As shown in fig. 17, the data processing apparatus 60 may include: a processing module 601 and a communication module 602. The processing module 601 may be used to control and manage the actions of the data processing apparatus 60. The communication module 602 may be used to support communication of the data processing apparatus 60 with other entities. Optionally, as shown in fig. 17, the data processing device 60 may further include a storage module 603 for storing program codes and data of the data processing device 60.
The processing module 601 may be a processor or a controller (e.g., the processor 201 shown in fig. 2 described above). The communication module 602 may be a transceiver, a transceiver circuit, a communication interface, or the like (e.g., may be the network interface 203 described above and shown in fig. 2). The memory module 603 may be a memory (e.g., memory 202 described above and shown in fig. 2).
When the processing module 601 is a processor, the communication module 602 is a transceiver, and the storage module 603 is a memory, the processor, the transceiver and the memory may be connected through a bus. The bus may be a PCI bus or an EISA bus, etc. The buses may be divided into address buses, data buses, control buses, etc.
In the case of dividing the respective functional modules with the respective functions, fig. 18 shows a schematic diagram of one possible configuration of the data processing apparatus (specifically, the above-described blockchain management device) involved in the above-described embodiment, and as shown in fig. 18, the data processing apparatus 70 may include: a receiving module 701, a processing module 702, a transmitting module 703 and a storage module 704.
The receiving module 701 is configured to receive a key allocation request sent by a first service device, where the key allocation request includes identifiers of a plurality of terminal groups and identifiers of a first application, where the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, and the first application is an application corresponding to the first service device, and the key allocation request is used to request to allocate keys for the plurality of terminal groups.
The processing module 702 is configured to allocate key sets to the plurality of terminal sets, where a key set corresponding to one terminal set is a key set corresponding to both the identifier of the terminal set and the identifier of the first application.
A sending module 703, configured to send a key allocation response to the first service device, where the key allocation response includes identities of key groups corresponding to the plurality of terminal groups respectively.
And the storage module 704 is configured to store the identifiers of the plurality of terminal groups, the identifiers of the first application program, and the public keys corresponding to the plurality of terminal groups to the data integrity verification ledger.
The sending module 703 is further configured to send, to the data gateway, the private keys corresponding to the plurality of terminal groups and the identities of the key groups corresponding to the plurality of terminal groups, where the public key corresponding to one terminal group is a public key included in the key group corresponding to both the identity of the terminal group and the identity of the first application, and the private key corresponding to one terminal group is a private key included in the key group corresponding to both the identity of the terminal group and the identity of the first application.
Optionally, the data processing apparatus 70 further comprises an acquisition module 705 and a determination module 706.
The receiving module 701 is further configured to receive a data verification ledger query sent by the first service device, where the data verification ledger query includes an identifier of a first terminal group and an identifier of the first application, and the data verification ledger query is configured to request to obtain a public key corresponding to both the identifier of the first terminal group and the identifier of the first application, where the first terminal group is one of the plurality of terminal groups.
The obtaining module 705 is configured to obtain, from the data integrity verification ledger, a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program based on the identifier of the first terminal group and the identifier of the first application program.
The determining module 706 is configured to determine the obtained public key as a first public key, where the first public key is a public key included in a first key group, and the first key group is a key group corresponding to both an identifier of the first terminal group and an identifier of the first application program.
The sending module 703 is further configured to send a data verification ledger query response to the first service device, where the data verification ledger query response includes the first public key.
In the case of an integrated unit, fig. 19 shows a possible structural schematic diagram of the data processing apparatus (specifically, the above-described blockchain management device) involved in the above-described embodiment. As shown in fig. 19, the data processing apparatus 80 may include: a processing module 801 and a communication module 802. The processing module 801 may be used to control and manage the operation of the data processing apparatus 80. The communication module 802 may be used to support communication of the data processing apparatus 80 with other entities. Optionally, as shown in fig. 19, the data processing device 80 may further include a storage module 803 for storing program codes and data of the data processing device 80.
The processing module 801 may be a processor or a controller (e.g., may be the processor 201 described above and shown in fig. 2). The communication module 802 may be a transceiver, a transceiver circuit, a communication interface, or the like (e.g., may be the network interface 203 described above and shown in fig. 2). The storage module 803 may be a memory (e.g., may be the memory 202 described above as shown in fig. 2).
Where the processing module 801 is a processor, the communication module 802 is a transceiver, and the storage module 803 is a memory, the processor, the transceiver, and the memory may be connected through a bus. The bus may be a PCI bus or an EISA bus, etc. The buses may be divided into address buses, data buses, control buses, etc.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber terminal line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers, data centers, etc. that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (20)

1. A data processing method, applied to a data gateway, the method comprising:
acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to the identifier of the first terminal group and the identifier of the first application program;
acquiring a first private key and a preset hash algorithm based on the identification of the first key group, wherein the first private key is a private key included in the first key group;
generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key;
and sending a target data set to first service equipment, wherein the target data set comprises the original data and the target digital signature, and the first service equipment is the service equipment corresponding to the first application program.
2. The data processing method of claim 1, wherein the method further comprises:
acquiring a first use certificate, wherein the first use certificate is a key use certificate corresponding to the first key group;
determining whether the first use certificate is the same as a second use certificate, wherein the second use certificate is a secret key use certificate corresponding to the first application program;
the obtaining the first private key based on the identification of the first key group includes:
and acquiring the first private key based on the identification of the first key group when the first using certificate is the same as the second using certificate.
3. The data processing method of claim 1, wherein the method further comprises:
acquiring an identifier of the first terminal and an identifier of the first application program;
acquiring the identifier of the first terminal group and the identifier of the first key group, including:
an information acquisition request is sent to the first service equipment, wherein the information acquisition request comprises an identifier of the first terminal and an identifier of the first application program, and the information acquisition request is used for requesting to acquire the identifier of the first terminal group and the identifier of the first key group;
And receiving an information acquisition response sent by the first service device, wherein the information acquisition response comprises an identifier of the first terminal group and an identifier of the first key group, the identifier of the first terminal group is acquired by the first service device based on the identifier of the first terminal, and the identifier of the first key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application program.
4. A data processing method, applied to a first service device, the method comprising:
receiving a target data set sent by a data gateway, wherein the target data set comprises original data acquired by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first key set, the first key set is a key set corresponding to both an identifier of the first terminal set and an identifier of the first application program, and the first terminal set is a terminal set corresponding to the first terminal;
Transmitting a data verification ledger inquiry request to a blockchain management device, wherein the data verification ledger inquiry request comprises the identification of the first terminal group and the identification of the first application program, and the data verification ledger inquiry request is used for requesting to acquire public keys corresponding to the identification of the first terminal group and the identification of the first application program;
receiving a data verification account book query response sent by the blockchain management device, wherein the data verification account book query response comprises a first public key, the first public key is a public key included by the first key group, and the first public key is determined by the blockchain management device based on the identification of the first terminal group and the identification of the first application program;
and determining whether the original data has an abnormality or not based on the target digital signature, the first public key and the preset hash algorithm.
5. The data processing method according to claim 4, wherein the determining whether the original data has an anomaly based on the target digital signature, the first public key, and the preset hash algorithm comprises:
generating a first digest based on the target digital signature and the first public key, and generating a second digest based on the original data and the preset hash algorithm;
And under the condition that the first abstract is the same as the second abstract, determining that the original data has no abnormality.
6. The data processing method according to claim 4, characterized in that the method comprises:
a key distribution request is sent to the blockchain management equipment, the key distribution request comprises identifiers of a plurality of terminal groups and identifiers of the first application program, the plurality of terminal groups are terminal groups corresponding to the first service equipment, one terminal group comprises at least one terminal, and the key distribution request is used for requesting to distribute keys for the plurality of terminal groups;
and receiving a key distribution response sent by the blockchain management device, wherein the key distribution response comprises the identifiers of the key groups corresponding to the terminal groups, and the identifier of the key group corresponding to one terminal group is the identifier of the key group corresponding to the identifier of the terminal group and the identifier of the first application program.
7. A data processing method according to any one of claims 4-6, characterized in that the method further comprises:
receiving an information acquisition request sent by the data gateway, wherein the information acquisition request comprises an identifier of the first terminal and an identifier of the first application program, and the information acquisition request is used for requesting to acquire the identifier of the first terminal group and the identifier of the first key group;
Based on the identification of the first terminal, the identification of the first terminal group is obtained from a first corresponding relation, wherein the first corresponding relation comprises the identifications of a plurality of terminal groups and the identifications of terminals corresponding to the identifications of the terminal groups;
under the condition that the second corresponding relation contains the identification of the key group corresponding to the identification of the first terminal group and the identification of the first application program, acquiring the identification of the key group corresponding to the identification of the first terminal group and the identification of the first application program, and determining the acquired identification of the key group as the identification of the first key group;
and sending an information acquisition response to the data gateway, wherein the information acquisition response comprises the identification of the first terminal group and the identification of the first key group.
8. A data processing method for use with a blockchain management device, the method comprising:
receiving a key allocation request sent by first service equipment, wherein the key allocation request comprises identifiers of a plurality of terminal groups and identifiers of first application programs, the terminal groups are terminal groups corresponding to the first service equipment, one terminal group comprises at least one terminal, the first application program is an application program corresponding to the first service equipment, and the key allocation request is used for requesting to allocate keys for the terminal groups;
Distributing key sets for the plurality of terminal sets, wherein the key set corresponding to one terminal set is the key set corresponding to both the identifier of the terminal set and the identifier of the first application program;
transmitting a key allocation response to the first service device, wherein the key allocation response comprises identifiers of key groups corresponding to the terminal groups;
storing the identifiers of the terminal groups, the identifiers of the first application program and the public keys corresponding to the terminal groups to a data integrity verification account book, and sending the private keys corresponding to the terminal groups and the identifiers of the key groups corresponding to the terminal groups to a data gateway, wherein the public key corresponding to one terminal group is a public key included in the key group corresponding to the identifier of the terminal group and the identifier of the first application program, and the private key corresponding to one terminal group is a private key included in the key group corresponding to the identifier of the terminal group and the identifier of the first application program.
9. The data processing method of claim 8, wherein the method further comprises:
receiving a data verification account book query request sent by the first service device, wherein the data verification account book query request comprises an identifier of a first terminal group and an identifier of the first application program, and the data verification account book query request is used for requesting to acquire a public key corresponding to the identifier of the first terminal group and the identifier of the first application program, and the first terminal group is one of the plurality of terminal groups;
Based on the identification of the first terminal group and the identification of the first application program, acquiring public keys corresponding to the identification of the first terminal group and the identification of the first application program from the data integrity verification account book, and determining the acquired public keys as first public keys, wherein the first public keys are public keys included in a first key group, and the first key group is a key group corresponding to the identification of the first terminal group and the identification of the first application program;
and sending a data verification ledger inquiry response to the first business device, wherein the data verification ledger inquiry response comprises a first public key.
10. A data processing apparatus, comprising: the device comprises an acquisition module, a processing module and a sending module;
the acquisition module is used for acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to the identifier of the first terminal group and the identifier of the first application program;
the obtaining module is further configured to obtain a first private key and a preset hash algorithm based on the identifier of the first key group, where the first private key is a private key included in the first key group;
The processing module is used for generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key;
the sending module is configured to send a target data set to a first service device, where the target data set includes the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
11. The data processing apparatus of claim 10, wherein the data processing apparatus further comprises a determination module;
the acquiring module is further configured to acquire a first use certificate, where the first use certificate is a key use certificate corresponding to the first key group;
the determining module is configured to determine whether the first usage credential is the same as a second usage credential, where the second usage credential is a key usage credential corresponding to the first application program;
the processing module is specifically configured to obtain, when the first usage credential is the same as the second usage credential, the first private key based on the identification of the first key group.
12. The data processing apparatus of claim 10, wherein the data processing apparatus further comprises a receiving module;
The acquisition module is further used for acquiring the identification of the first terminal and the identification of the first application program;
the sending module is further configured to send an information acquisition request to the first service device, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application, and the information acquisition request is used to request to acquire an identifier of the first terminal group and an identifier of the first key group;
the receiving module is configured to receive an information acquisition response sent by the first service device, where the information acquisition response includes an identifier of the first terminal group and an identifier of the first key group, the identifier of the first terminal group is acquired by the first service device based on the identifier of the first terminal, and the identifier of the first key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application program.
13. A data processing apparatus, comprising: the device comprises a receiving module, a sending module and a determining module;
the receiving module is configured to receive a target data set sent by a data gateway, where the target data set includes original data collected by a first application in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm, and a first private key, the first private key is a private key included in a first key set, the first key set is a key set corresponding to both an identifier of the first terminal set and an identifier of the first application, and the first terminal set is a terminal set corresponding to the first terminal;
The sending module is configured to send a data verification ledger query request to a blockchain management device, where the data verification ledger query request includes an identifier of the first terminal group and an identifier of the first application program, and the data verification ledger query request is configured to request to obtain a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program;
the receiving module is further configured to receive a data verification ledger query response sent by the blockchain management device, where the data verification ledger query response includes a first public key, where the first public key is a public key included in the first key set, and the first public key is determined by the blockchain management device based on an identifier of the first terminal set and an identifier of the first application program;
the determining module is configured to determine whether the original data has an anomaly based on the target digital signature, the first public key, and the preset hash algorithm.
14. The data processing apparatus of claim 13, wherein the data processing apparatus further comprises a processing module;
the processing module is used for generating a first digest based on the target digital signature and the first public key and generating a second digest based on the original data and the preset hash algorithm;
The determining module is specifically configured to determine that the original data is not abnormal when the first digest is the same as the second digest.
15. The data processing apparatus of claim 13, wherein the data processing apparatus comprises,
the sending module is further configured to send a key allocation request to the blockchain management device, where the key allocation request includes identifiers of a plurality of terminal groups and identifiers of the first application, the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, and the key allocation request is used to request to allocate keys to the plurality of terminal groups;
the receiving module is further configured to receive a key allocation response sent by the blockchain management device, where the key allocation response includes identifiers of key groups corresponding to the multiple terminal groups, and the identifier of a key group corresponding to one terminal group is an identifier of a key group corresponding to both the identifier of the terminal group and the identifier of the first application program.
16. The data processing apparatus according to any one of claims 13-15, wherein the data processing apparatus further comprises an acquisition module;
The receiving module is further configured to receive an information acquisition request sent by the data gateway, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application, and the information acquisition request is used to request to acquire an identifier of the first terminal group and an identifier of the first key group;
the acquiring module is configured to acquire, based on the identifier of the first terminal, the identifier of the first terminal group from a first correspondence, where the first correspondence includes identifiers of a plurality of terminal groups and identifiers of terminals corresponding to the identifiers of the plurality of terminal groups;
the obtaining module is further configured to obtain, in a case where the second correspondence has an identifier of a key set corresponding to both the identifier of the first terminal set and the identifier of the first application, an identifier of the key set corresponding to both the identifier of the first terminal set and the identifier of the first application;
the determining module is further configured to determine the obtained identifier of the key set as the identifier of the first key set;
the sending module is further configured to send an information acquisition response to the data gateway, where the information acquisition response includes an identifier of the first terminal group and an identifier of the first key group.
17. A data processing apparatus, comprising: the device comprises a receiving module, a processing module, a sending module and a storage module;
the receiving module is configured to receive a key allocation request sent by a first service device, where the key allocation request includes identifiers of a plurality of terminal groups and identifiers of first application programs, the plurality of terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, the first application program is an application program corresponding to the first service device, and the key allocation request is used to request to allocate keys for the plurality of terminal groups;
the processing module is configured to allocate key sets for the plurality of terminal sets, where a key set corresponding to one terminal set is a key set corresponding to both an identifier of the terminal set and an identifier of the first application program;
the sending module is configured to send a key allocation response to the first service device, where the key allocation response includes identifiers of key groups corresponding to the multiple terminal groups;
the storage module is used for storing the identifiers of the plurality of terminal groups, the identifiers of the first application program and the public keys corresponding to the plurality of terminal groups to a data integrity verification account book;
The sending module is further configured to send, to the data gateway, the private keys corresponding to the plurality of terminal groups and the identities of the key groups corresponding to the plurality of terminal groups, where the public key corresponding to one terminal group is a public key included in the key group corresponding to both the identity of the terminal group and the identity of the first application, and the private key corresponding to one terminal group is a private key included in the key group corresponding to both the identity of the terminal group and the identity of the first application.
18. The data processing apparatus of claim 17, wherein the data processing apparatus further comprises an acquisition module and a determination module;
the receiving module is further configured to receive a data verification ledger query request sent by the first service device, where the data verification ledger query request includes an identifier of a first terminal group and an identifier of the first application program, and the data verification ledger query request is used to request to obtain a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program, where the first terminal group is one of the plurality of terminal groups;
the acquiring module is configured to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program from the data integrity verification ledger based on the identifier of the first terminal group and the identifier of the first application program;
The determining module is configured to determine the obtained public key as a first public key, where the first public key is a public key included in a first key group, and the first key group is a key group corresponding to both an identifier of the first terminal group and an identifier of the first application program;
the sending module is further configured to send a data verification ledger query response to the first service device, where the data verification ledger query response includes a first public key.
19. A server, the server comprising:
a processor;
a memory configured to store the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the data processing method of any of claims 1-3, or to implement the data processing method of any of claims 4-7, or to implement the data processing method of claim 8 or 9.
20. A computer readable storage medium having instructions stored thereon, which, when executed by a server, enable the server to perform the data processing method according to any one of claims 1-3, or the data processing method according to any one of claims 4-7, or the data processing method according to claim 8 or 9.
CN202111342923.1A 2021-11-12 2021-11-12 Data processing method, device, server and storage medium Active CN114124404B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111342923.1A CN114124404B (en) 2021-11-12 2021-11-12 Data processing method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111342923.1A CN114124404B (en) 2021-11-12 2021-11-12 Data processing method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN114124404A CN114124404A (en) 2022-03-01
CN114124404B true CN114124404B (en) 2023-07-07

Family

ID=80379428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111342923.1A Active CN114124404B (en) 2021-11-12 2021-11-12 Data processing method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN114124404B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117195300B (en) * 2023-09-20 2024-03-29 全拓科技(杭州)股份有限公司 Big data safety protection method, device and system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108604990A (en) * 2016-12-02 2018-09-28 华为技术有限公司 The application method and device of local authorized certificate in terminal
CN108769038A (en) * 2018-06-04 2018-11-06 立旃(上海)科技有限公司 Data processing method based on block chain and device
CN111488596A (en) * 2020-03-30 2020-08-04 腾讯科技(深圳)有限公司 Data processing permission verification method and device, electronic equipment and storage medium
CN111932426A (en) * 2020-09-15 2020-11-13 支付宝(杭州)信息技术有限公司 Identity management method, device and equipment based on trusted hardware
CN112311537A (en) * 2020-10-30 2021-02-02 国网江苏省电力有限公司信息通信分公司 Block chain-based equipment access authentication system and method
CN113067703A (en) * 2021-03-19 2021-07-02 上海摩联信息技术有限公司 Terminal equipment data uplink method and system
CN113468569A (en) * 2021-07-13 2021-10-01 京东科技控股股份有限公司 Data encryption method and device and data decryption method and device
CN113497778A (en) * 2020-03-18 2021-10-12 北京同邦卓益科技有限公司 Data transmission method and device
CN113497709A (en) * 2020-04-02 2021-10-12 浪潮云信息技术股份公司 Trusted data source management method based on block chain, signature device and verification device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11698979B2 (en) * 2018-03-27 2023-07-11 Workday, Inc. Digital credentials for access to sensitive data
US11770261B2 (en) * 2018-03-27 2023-09-26 Workday, Inc. Digital credentials for user device authentication

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108604990A (en) * 2016-12-02 2018-09-28 华为技术有限公司 The application method and device of local authorized certificate in terminal
CN108769038A (en) * 2018-06-04 2018-11-06 立旃(上海)科技有限公司 Data processing method based on block chain and device
CN113497778A (en) * 2020-03-18 2021-10-12 北京同邦卓益科技有限公司 Data transmission method and device
CN111488596A (en) * 2020-03-30 2020-08-04 腾讯科技(深圳)有限公司 Data processing permission verification method and device, electronic equipment and storage medium
CN113497709A (en) * 2020-04-02 2021-10-12 浪潮云信息技术股份公司 Trusted data source management method based on block chain, signature device and verification device
CN111932426A (en) * 2020-09-15 2020-11-13 支付宝(杭州)信息技术有限公司 Identity management method, device and equipment based on trusted hardware
CN112311537A (en) * 2020-10-30 2021-02-02 国网江苏省电力有限公司信息通信分公司 Block chain-based equipment access authentication system and method
CN113067703A (en) * 2021-03-19 2021-07-02 上海摩联信息技术有限公司 Terminal equipment data uplink method and system
CN113468569A (en) * 2021-07-13 2021-10-01 京东科技控股股份有限公司 Data encryption method and device and data decryption method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
区块链在工业互联网标识数据管理策略研究;汪允敏;李挥;王菡;白永杰;宁崇辉;;计算机工程与应用(第07期);全文 *

Also Published As

Publication number Publication date
CN114124404A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN1996834B (en) Method and apparatus for acquiring domain information and domain-related data
US10581849B2 (en) Data packet transmission method, data packet authentication method, and server thereof
CN108390885B (en) Method for obtaining equipment identification, communication entity, communication system and storage medium
CN111224781A (en) Method and apparatus for managing registration certificates in a secure credential management system
KR20190115515A (en) AUTHENTICATION METHOD AND SYSTEM OF IoT(Internet of Things) DEVICE BASED ON PUBLIC KEY INFRASTRUCTURE
CN114124404B (en) Data processing method, device, server and storage medium
CN106713315B (en) Login method and device of plug-in application program
CN111414640B (en) Key access control method and device
CN111182527B (en) OTA (over the air) firmware upgrading method and device, terminal equipment and storage medium thereof
CN104782099B (en) Certification request accesses the method and system of at least one terminal of at least one resource
CN112019603B (en) Transaction data processing method and device
CN112511980B (en) Communication system, method and device
CN112039893B (en) Private transaction processing method and device, electronic equipment and readable storage medium
KR102318947B1 (en) Method for protecting privacy data, computing device and system for executing the method
CN109743237B (en) Authentication method of APP and gateway
CN114125812A (en) Data synchronization method, device, server and storage medium
CN114124494B (en) Data processing method, device, equipment and storage medium
CN109587241B (en) Data sharing method and equipment
KR101406530B1 (en) Method and system for managing secret key service using smart meter
CN113490249B (en) Transmission path determining method and device
CN112350868A (en) Wall opening processing method, device, server, system and readable storage medium
CN116094869B (en) Corresponding relation generation method and device, server and storage medium
CN112153021B (en) Service data acquisition method and device
CN112202725B (en) Service verification method and device
CN112469139B (en) Network channel establishment system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant